Verification of Real-Time Specification Patterns on Time Transition Systems Nouha Abid 1,2, Silvano Dal Zilio 1,2, and Didier Le Botlan 1,2 1 CNRS ; LAAS ; 7 avenue colonel Roche, F-31077 Toulouse, France 2 Université de Toulouse ; UPS, INSA, INP, ISAE, UT1, UTM ; Toulouse, France Abstract. We address the problem of checking properties of Time Transition Systems (TTS), a generalization of Time Petri Nets with data variables and priorities. We are specifically interested by time-related properties expressed using real-time specification patterns, a language inspired by properties commonly found during the analysis of reactive systems. Our verification approach is based on the use of observers in order to transform the verification of timed patterns into the verification of simpler LTL formulas. While the use of observers for model-checking timed extensions of temporal logics is fairly common, our approach is original in several ways. In addition to traditional observers based on the monitoring of places and transitions, we propose a new class of observers for TTS models based on the monitoring of data modifications that appears to be more efficient in practice. Moreover, we provide a formal framework to prove that observers are correct and non-intrusive, meaning that they do not affect the system under observation. Our approach has been integrated in a verification toolchain for Fiacre, a formal modeling language that can be compiled into TTS. 1 Introduction A distinctive feature of real-time systems is to be subject to severe time constraints that arise from critical interactions between the system and its environment. Since reasoning about real-time systems is difficult, it is important to be able to apply formal validation techniques early during the development process and to define formally the requirements that need to be checked. In this work, we follow a classical approach for explicit-state model checking: we use a highlevel language able to describe systems of communicating processes; our goal is to check the validity of specifications expressed in a logical-based formalism; the verification of a system consists in compiling its description and its requirements into a low-level model for which we have the appropriate theory and the convenient tooling. We propose a new treatment for this traditional approach. We focus on a dense real-time model and use a patterns specification language instead of a timed extension of a temporal logic. One of our contribution is to propose a new decidable verification procedure for a real-time extension to the patterns language of Dwyer et al. [12]. Instead of using real-time extensions of temporal
logic, we propose a patterns language, inspired by properties commonly found during the analysis of reactive systems, that can facilitate the specification of requirements by non-expert. This patterns language can be used to express constraints on the timing as well as the order of events, such as the compliance to deadline or minimum time bounds on the delay between events. While we may rely on timed temporal logics as a way to define the semantics of patterns, the choice of a patterns language has some advantages. For one, we do not have to limit ourselves to a decidable fragment of a particular logic which may be too restrictive or have to pay the price of using a comprehensive real-time modelcheckeing, that have a very high theoretical complexity. We address the problem of checking patterns on Time Transition System (TTS), a generalization of Time Petri Nets with data variables and priorities. Our verification approach is based on the use of observers in order to transform the verification of timed patterns into the verification of simpler reachability properties. For the purpose of this work, we focus on a simple deadline pattern, named leadsto, and define different classes of observers that can be used to check it. We have applied our approach to a much richer patterns language, with operators that can express requirements on the occurrence and order of events in a system during its execution. A complete description of the patterns language can be found in [1] (we also include a global presentation of the patterns language in Appendix A). While the use of observers for model-checking timed extensions of temporal logics is fairly common, our approach of the problem is original in several ways. In addition to traditional observers that monitor places and transitions, we propose a new class of observers for Time Transition System (TTS) models that monitor data modifications, and which appears to be more efficient in practice. Another contribution is the definition of a formal framework to prove that observers are correct and non-intrusive, meaning that they do not affect the system under observation. This framework is useful for adding new patterns in our language or for proving the soundness of optimizations. Beside this theoretical framework, we also provide experimental results. The complete framework defined in this paper has been integrated into a verification toolchain for Fiacre [7] the high-level modeling language, in our context (see Fig 1). Fiacre is the intermediate language used for model verification in Topcased [13] an Eclipse based toolkit for critical systems where it is used as the target of model transformation engines from various languages, such as SDL, UML or AADL [5]. Fiacre is also the source language of compilers into two verification toolboxes: TINA, the TIme Petri Net Analyzer toolset [9], and CADP [14]. For the low-level model, we rely on Time Transition System (TTS), a generalization of Time Petri Nets with data variables and priorities that is one of the input formats accepted by TINA and the output of Frac compiler (the Fiacre compiler for the TINA toolbox). In our toolchain (Fig 1), the Fiacre program, which is combined with patterns, is compiled into TTS model using Frac compiler. The TTS generated is verified then with TINA toolbox. We give some experimental results on the impact of the choice of observers on the size
of the state graphs that need to be generated, that is on the space complexity of our verification method, and on time for verification which refers to the total time needed to generate and to verify the system. Fig. 1. The global verification toolchain Outline we define the TTS model and the semantics of timed traces in Section 2. Sections 3 and 4 describe our property specification language and the verification framework. In Section 5, we give some experimental results on the use of the leadsto pattern. We conclude with a review of the related work, an outline of our contributions and some perspectives on future work. 2 Time Transition Systems We briefly describe the Fiacre formal verification language and show the connection between this high-level language and Time Transition Systems (TTS), an internal format used in our model-checking tools. 2.1 The Fiacre Language Fiacre is a formal specification language designed to represent both the behavioral and timing aspects of real-time systems. The design of the language is inspired by Time Petri Nets (TPN) for its timing primitives, while the integration of time constraints and priorities into the language can be traced to the BIP framework [10]. A formal definition of the language is given in [7,8]. Fiacre programs are stratified in two main notions: processes, which are well-suited
for modeling structured activities, and components, which describes a system as a composition of processes, possibly in a hierarchical manner. The listings in Fig. 1.1 and 1.2 give a simple example that models the behavior of a mouse button with double-clicking. The behavior, in this case, is to emit the event double if there are more than two click events in strictly less than one unit of time (u.t.). Note that we use a dense-time model. Listing 1.1. Process process P [click, single, double, delay : none] is states s0, s1, s2 var dbl : bool := false from s0 click; to s1 from s1 select click; dbl := true; loop [] delay; to s2 end from s2 if dbl then double else single end; dbl := false; to s0 Listing 1.2. Component component Mouse [click, single, double : none] is port delay : none in [1,1] priority delay > click par P [click, single, double, delay] end Fig. 2. A double-click example in Fiacre A process is defined by a set of parameters and control states, each associated with a set of complex transitions (introduced by the keyword from). Complex transitions are expressions that declares how variables are updated and which transitions may fire. They are built from deterministic constructs available in classical programming languages (assignments, conditionals, sequential composition,...); non-deterministic constructs (choice and non-deterministic assignments); communication events on ports; and jump to next state. For example, Listing 1.1 declares a process named P, with four communication ports (click to delay) and one local boolean variable, dbl. Ports may send and receive typed data. The port type none means that no data is exchanged, these ports simply act as synchronization events. Regarding complex transitions, the expression for s1, for instance, declares that in state s1 the process may either: (1) receive a click event from the environment, set dbl to true and stay in state s1; or (2) receive an event delay and move to s2. A component is defined as the parallel composition of processes and/or other components, expressed with the operator par... end. In a composition, processes can interact both through synchronization (message-passing) and accesses to shared variables (shared memory). Components are the unit for process instantiation and for declaring ports and shared variables. The syntax of components allows to associate timing constraints with communications and to define priority
between communication events. The ability to express directly timing constraints in programs is a distinguishing feature of Fiacre. For example, in Listing 1.2, the declaration of the local port delay means that for the instance of process P defined in Mouse the transition from s1 to s2 should take exactly one unit of time. We assume the reader is already familiar with the usual vocabulary of Time Petri nets [21] (such as the standard notions of markings and time intervals). 2.2 Informal Introduction Time Transition Systems (TTS) are a generalization of Time Petri Nets (TPN) with priorities and data variables. This computational model is very close to the abstract model for real-time systems defined by Henzinger et al [18] hence the choice of the name with a different syntax; we use Petri Nets instead of product of automata. We introduce a graphical syntax for TTS using a simple example that models the behavior of a mouse button with double-clicking, as pictured in Fig. 3. The behavior, in this case, is to emit the event double if there are more than two click events in strictly less than one unit of time (u.t.). Its precise semantics, expressed in terms of timed traces, is defined further (2.4). act: dbl := false pre: dbl == false single click act: dbl := true click τ s 0 s 1 [1; 1] double s 2 pre: dbl == true act: dbl := false Fig. 3. The double-click example in TTS Ignoring at first side conditions and side effects (the pre and act expressions inside dotted rectangles), the TTS in Fig. 3 can be viewed as a TPN with one token in place s 0 as its initial marking. From this state, a click transition may occur and move the token from s 0 to s 1. With this marking, the internal transition τ is enabled and will fire after exactly one unit of time, since the token in s 1 is not consumed by any other transition. Meanwhile, the transition labeled click may be fired one or more times without removing the token from s 1, as indicated by the read arc (arcs ending with a black dot). After exactly one unit
of time, because of the priority arc (a dashed arrow between transitions), the click transition is disabled until the token moves from s 1 to s 2. Data is managed within the act and pre expressions that may be associated to each transition. These expressions may refer to a fixed set of variables that form the store of the TTS. Assume t is a transition with guards act t and pre t. In comparison with a TPN, a transition t in a TTS is enabled if there is both: (1) enough tokens in the places of its pre-condition; and (2) the predicate pre t is true. With respect to the firing of t, the main difference is that we modify the store by executing the action guard act t. For example, when the token reaches the place s 2 in the TTS of Fig. 3, we use the value of dbl to test whether we should signal a double click or not. 2.3 Formal Definition Notation : we write R + the set of nonnegative real numbers, and I(R + ) the set of non-empty convex subsets of R + (that is, intervals of R +, including all open or closed variants, as well as infinite intervals). Given an element I of I(R + ) and an element δ of R +, we define I δ as the set {x R + x + δ I}. If I δ is not empty, it is itself an element of I(R + ). Definition 1 (Time Transition System). A TTS is a 9-tuple P, T, S, M, <, tc, enb, cfl, ac, and its state is a triple (m, s, dtc) where: (a) P, T, and S are three disjoint sets, of places, transitions, and stores, respectively. (b) M is the set of markings of the TTS, that is, mappings from P to {0, 1}. (c) < is a binary, transitive relation over T which encodes the (static) priority relation between transitions. (d) tc ( static time constraint) is a mapping from T to I(R + ). (e) enb (enable predicate) is a predicate over T M S; cfl (conflict predicate) is a predicate over T M T and ac (action) is a mapping from T M S to M S. (f) The TTS state (m, s, dtc) is an element of M S (I(R + )) T. dtc is a mapping called the dynamic time constraint. The initial state of a TTS is written (m init, s init, tc). It requires the dynamic time constraint of every transition to be equal to its static time constraint. We make some comments on this definition. Condition (b) implies that the underlying Petri Net is one-safe. The interval dtc(t) is used to record the time elapsed waiting for the firing of t; therefore we require tc(t) = dtc(t) to hold in the initial state for all transitions t in T. In Fig.3, transitions without time constraints are associated to the time interval [0, + [. In condition (e), the predicate enb(t, m, s) indicates whether t is enabled under marking m and store s; cfl(t 1, m, t 2 ) indicates whether firing t 1 under marking m should reset the dynamic time interval of t 2 to its default value tc(t 2 ); and ac(t, m, s) returns a
new marking m and a new store s corresponding to the effect of firing t under marking m and store s. It is easy to show that the TTS model includes Time Petri Nets: take an empty store and define enb(t, m, ) as the predicate m pre(t), cfl(t, m, t ) as the predicate m pre(t) < pre(t ) and ac(t, m, ) as the function m pre(t) + post(t). 2.4 Semantics of TTS expressed as Timed Traces The behavior of a TTS is abstracted as a set of traces, called timed traces. In contrast, the behavior expected by the user is expressed with some properties (some invariants) to be checked against this set of timed traces. For instance, one may check the invariant that variable dbl is never true when s 0 is marked (using an accessibility check), or that transition click is followed by either single or double within one time unit (using an observer, as described in Sec. 3). As a consequence, traces must contain information about fired transitions (e.g. single), markings (e.g. m(s 0 )), store (e.g. current value of dbl), and elapsing of time (e.g. to detect the one-time-unit deadline). Formally, we define an event ω as a triple (t, m, s) recording the marking and store immediately after the transition t has been fired. We denote Ω the set T M S of possible events. Definition 2 (Timed trace). A timed trace σ is a possibly infinite sequence of events ω Ω and durations d(δ) with δ R +. Formally, σ is a partial mapping from N to Ω = Ω {d(δ) δ R + } such that σ(i) is defined whenever σ(j) is defined and i j. The domain of σ is written dom σ. Using classic notations for sequences, the empty sequence is denoted ɛ; given a finite sequence σ and a possibly infinite sequence σ, we denote σσ the concatenation of σ and σ. Concatenation is associative. Definition 3 (Duration). Given a finite trace σ, we define its duration, (σ), using the following inductive rules: (ɛ) = 0 (σ.d(δ)) = (σ) + δ (σ.ω) = (σ) We extend to infinite traces, by defining (σ) as the limit of (σ i ) where σ i are growing prefixes of σ. Infinite traces are expected to have an infinite duration. Indeed, to rule out Zeno behaviors, we only consider traces that let time elapse. Hence, the following definition: Definition 4 (Well-formed traces). A trace σ is well-formed if and only if dom(σ) is finite or (σ) =. The following definition provides an equivalence relation over timed traces. This relation guarantees that a well-formed trace (not exhibiting a Zeno behavior) is only equivalent to well-formed traces. One way to achieve this would
be to require that two equivalent traces may only differ by a finite number of differences. However, we also want to consider equivalent some traces that have an infinite number of differences, such as for example the infinite traces (d(1).d(1).ω) and (d(2).ω) (where X is the infinite repetition of X). Our solution is to require that, within a finite time interval [0, δ], equivalent traces must contain a finite number of differences. Definition 5 (Equivalence over timed traces). For each δ > 0, we define δ as the smallest equivalence relation over timed traces satisfying σ.d(0).σ δ σ.σ, σ.d(δ 1 ).d(δ 2 ).σ σ.d(δ 1 + δ 2 ).σ, and σ.σ δ σ.σ whenever (σ) > δ. The relation is the intersection of δ for all δ > 0. By construction, is an equivalence relation. Moreover, σ 1 σ 2 implies (σ 1 ) = (σ 2 ). Our notion of timed trace is quite expressive. In particular, we are able to describe events which happen at the same date (with no delay in between) while keeping a causality relation (one event is before another). We now consider briefly the dynamic semantics of TTS, which is similar to the semantics of Time Petri-Nets [21]. It is expressed as a binary relation between states labeled by elements of Ω, and written (m, s, dtc) l (m, s, dtc ), where l is either a delay d(δ) with δ R + or an event ω Ω. We say that transition t is enabled if enb(t, m, s) is true. A transition t is fireable if it is enabled, timeenabled (that is 0 dtc(t)) and there is no fireable transition t that has priority over t (that is t < t ). Given these definitions, a TTS with state (m, s, dtc) may progress in two ways: Time elapses by an amount δ in R +, provided δ dtc(t) for all enabled transitions, meaning that no transition t is urgent. In that case, we define dtc by dtc (t) = dtc(t) δ for all enabled transitions t and dtc (t) = tc(t) for disabled transitions. Under these hypotheses, we have (m, s, dtc) d(δ) (m, s, dtc ) A fireable transition t fires. Let (m, σ ) be ac(t, m, s), and dtc be a new mapping such that dtc (t ) = tc(t ) for all newly enabled transitions t and for all transitions t in conflict with t (such that cfl(t, m, t ) holds). For other transitions, we define dtc (t ) = dtc(t ). Under these hypotheses, we have (m, s, dtc) (t,m,s ) (m, s, dtc ) We inductively define σ, where σ is a finite trace: ɛ is defined as the identity relation over states, and σω is defined as the composition of σ and ω (we omit details). We write (m, s, dtc) σ whenever there exist a state (m, s, dtc ) such that (m, s, dtc) σ (m, s, dtc ). Given an infinite trace σ, we write (m, s, dtc) σ if and only if (m, s, dtc) σ holds for all σ finite prefixes of σ. Finally, the set of traces of a TTS N is the set of well-formed traces σ such that (m init, s init, tc) σ holds. This set is written Σ(N). The TINA verification toolbox [9] offers several tools to work with TTS files, including a model-checker for a State-Event version of LTL. However, a
strong limitation of LTL model-checking is that it does not allow the user to express timing constraints, for example, that some deadline between significant events is met. In Sect. 4, we introduce a specification language that makes it easier to express real-time requirements. Each pattern in this language can be compiled into an observer expressed as a TTS, which is then composed with the original system, using a composition operator defined next. Thus, we reduce the verification of timed patterns into the verification of simple LTL properties on the composed system, for which we have the adequate tooling. 2.5 Composition of TTS and Composition of Traces We study the composition of two TTS and consider the relation between traces of the composed system and traces of its components. This operation is particularly significant in the context of this work, since both the system and the observer are TTS and we use composition to graft the latter to the former. In particular, we are interested in conditions ensuring that the behavior of the observer does not interfere with the behavior of the observed system. The composition of two TTS is basically the same as for TPN: we assume given a function lab associating a label, taken in a countable set L, to every transition. Then, transitions bearing the same label are synchronized. However, some conditions must be ensured so that composition is sound, as defined next: Definition 6 (Composable TTS, synchronized transitions). We consider two TTS, namely N 1 and N 2, defined as P i, T i, S i, M i, < i, tc i, enb i, cfl i, ac i for i=1, 2, respectively. The set of synchronized transitions of N 1 is {t 1 T 1 t 2 T 2. lab(t 1 ) = lab(t 2 )}. We define the set of synchronized transitions of N 2 similarly. Then, N 1 and N 2 are composable if the following conditions hold: 1. P 1 T 1 S 1 is disjoint from P 2 T 2 S 2. 2. for i = 1, 2, every synchronized transition t i of N i is such that tc i (t i ) = [0, + [, and there is no transition t T i with t < t i. The first condition ensures that N 1 and N 2 are disjoint, in particular they must use disjoint stores. As a consequence, no information can be exchanged through shared variables. Thus, synchronization occurs through transitions only. As stated by the second condition, in every pair of synchronized transitions, both transitions must have a trivial time constraint [0, + [. This condition as well as the condition on priorities is necessary to ensure compositionality, as stated by Property 1 below. Definition 7 (Composition). Assuming N 1 and N 2 are defined as above, let N be the TTS corresponding to their composition, which we write N = N 1 N 2. It is defined by the 9-tuple P, T, S, M, <, tc, enb, cfl, ac where: 1. P = P 1 P 2
2. Let be an element not in T 1 T 2. Let T 1 be T 1 { } and T 2 be T 2 { }. We define T as the following subset of T 1 T 2 : T = {(t 1, t 2 ) t 1 T 1, t 2 T 2, lab(t 1 ) = lab(t 2 )} {(t 1, ) t 1 T 1 and t 1 is not synchronized} {(, t 2 ) t 2 T 2 and t 2 is not synchronized} We remark that (, ) / T. 3. S = S 1 S 2 4. M = {0, 1} P. By noticing that M is in bijection with M 1 M 2, we may freely consider that elements of M are of the form (m 1, m 2 ) with m 1 M 1 and m 2 M 2. 5. < 1 is a binary relation on T 1. We may freely consider it as a binary relation on T 1 (and so there is no t T 1 with t < or < t). Similarly, < 2 is considered as a binary relation on T 2. Then, < is defined by: for all (t 1, t 1, t 2, t 2) (T 1 ) 2 (T 2 ) 2, we have (t 1, t 2 ) < (t 1, t 2) if and only if t 1 < t 1 or t 2 < t 2. As required, < is transitive (we omit the proof). 6. For all (t 1, t 2 ) in T, we define tc(t 1, t 2 ) as tc 1 (t 1 ) if t 1, and as tc 2 (t 2 ) otherwise. 7. enb((t 1, t 2 ), (m 1, m 2 ), (s 1, s 2 )) is defined as (t 1 = enb 1 (t 1, m 1, s 1 )) (t 2 = enb 2 (t 2, m 2, s 2 )). 8. cfl((t 1, t 2 ), (m 1, m 2 ), (t 1, t 2)) is defined as (t 1 t 1 cfl 1 (t 1, m 1, t 1)) (t 2 t 2 cfl 2 (t 2, m 2, t 2)) 9. By convention, for i = 1, 2, and for any m and s, we define ac i (, m, s) as (m, s). Then, ac((t 1, t 2 ), (m 1, m 2 ), (s 1, s 2 )) is defined as the pair ((m 1, m 2), (s 1, s 2)), where (m 1, s 1) is ac 1 (t 1, m 1, s 1 ) and (m 2, s 2) is ac 2 (t 2, m 2, s 2 ). Additionally, the initial state is defined as ((m init 1, m init 2 ), (s init 1, s init 2 ), tc). We now define composition of traces, and then show, in Property 1, that traces generated by N correspond to composition of traces from N 1 and traces from N 2. We extend lab to events and duration by defining lab(t, m, σ) = lab(t) and lab(d(δ)) = d(δ). Additionally, we say that an event ω is synchronized if and only if ω is a delay d(δ) or ω is (t, m, σ) and t is synchronized (as defined in Def. 6). In the same way that systems can be composed, it is possible to compose a timed trace of a TTS N 1 with the trace of another TTS N 2 when some conditions are met. Basically, events with the same label must occur synchronously, time elapses synchronously in both systems, and unsynchronized events events that are not shared between N 1 and N 2 can only be composed with d(0) (meaning they are not synchronized with an observable event). Definition 8 (Composable traces). Let Ω 1 and Ω 2 be the set of events of two TTS N 1 and N 2, respectively. We define the relation between Ω 1 and Ω 2 as the smallest relation satisfying the following inference system: lab(ω 1 ) = lab(ω 2 ) ω 1 ω 2 ω 2 not synchronized d(0) ω 2 ω 1 not synchronized ω 1 d(0)
This relation can be extended to pairs of traces (σ 1, σ 2 ) of N 1 N 2 as follows. We say that σ 1 and σ 2 are composable, which we write σ 1 σ 2, if and only if dom σ 1 = dom σ 2 and σ 1 (i) σ 2 (i) holds for all i dom σ 1. Notice that σ 1 σ 2 implies (σ 1 ) = (σ 2 ). We are now able to state the compositionality property. Remind that Σ(N) is the set of traces of N. Property 1 (Compositionality). Assume N 1 and N 2 are composable systems with events in Ω 1 and Ω 2 respectively. Let N be N 1 N 2 ; we write Ω its set of events. Then there exists a bijection f between Ω and a subset of Ω1 Ω2 such that: σ Σ(N 1 N 2 ) if and only if there exists a pair of traces (σ{ 1, σ 2 ) of Σ(N 1 ) Σ(N 2 ) with σ 1 σ 2, dom σ = dom σ 1, and σ(i) = d(δ) if σ1 (i) = σ i dom σ 2 (i) = d(δ) σ(i) = f 1 (σ 1 (i), σ 2 (i)) otherwise. In other words, given a trace σ Σ(N), one may extract two composable traces σ 1 Σ(N 1 ) and σ 2 Σ(N 2 ). Conversely, given two composable traces σ 1 Σ(N 1 ) and σ 2 Σ(N 2 ), one may build a corresponding trace in Σ(N), which we will write σ 1 σ 2. Thus, this property characterizes the set of traces of N in terms of traces of N 1 and N 2. Proof. Let E be the set (Ω 1 {d(0)}) (Ω 2 {d(0)}) \ (d(0), d(0)). Let f be the bijection between Ω and E defined as if t 1 t 2, then f((t 1, t 2 ), (m 1, m 2 ), (s 1, s 2 )) is ((t 1, m 1, s 1 ), (t 2, m 2, s 2 )). if t 1, then f((t 1, ), (m 1, m 2 ), (s 1, s 2 )) is ((t 1, m 1, s 1 ), d(0)). if t 2, then f((, t 2 ), (m 1, m 2 ), (s 1, s 2 )) is (d(0), (t 2, m 2, s 2 )). We now show that f satisfies the given property. We prove each way of the equivalence independently. Assume σ is a trace of N. Let us define σ 1 and σ 2 by dom σ 1 = dom σ 2 = dom σ and for all i dom σ, if σ(i) is d(δ) (for some δ), then σ 1 (i) = σ 2 (i) = d(δ), otherwise σ(i) is an event ω, then let (σ 1 (i), σ 2 (i)) be f(ω). It is straightforward to check that σ 1 σ 2 holds. It remains to be shown that σ 1 (resp. σ 2 ) is a trace of N 1 (resp. N 2 ). We show only the result for σ 1, the proof for σ 2 being similar. This is a consequence of the two following implications, where dtc 1 is the function dtc restricted to the domain T 1 (and similarly for dtc 1), and where f 1 (ω) is the first projection of f(ω). To ease the reading, we display these implications as inference rules: ((m 1, m 2 ), (s 1, s 2 ), dtc) d(δ) ((m 1, m 2 ), (s 1, s 2 ), dtc ) (m 1, s 1, dtc 1 ) d(δ) (m 1, s 1, dtc 1) ((m 1, m 2 ), (s 1, s 2 ), dtc) ω ((m 1, m 2), (s 1, s 2), dtc ) (m 1, s 1, dtc 1 ) f1(ω) (m 1, s 1, dtc 1)
We only sketch the proof of these rules. The delicate part concerns dtc (dealing with m and s is straightforward, by applying the definition of composition). More precisely, the (first projection of) enabled transitions of N is only a subset of enabled transitions of N 1, as a consequence of the definition of enb in Def. 7. To state it otherwise, not all enabled transitions of N 1 are enabled in N. Thus, there may be transitions t T 1 such that dtc 1(t 1 ) = dtc(t 1 ) whereas the expected value (according to the semantics of N 1 ) would be dtc 1(t 1 ) δ (in the first rule) or tc 1 (t 1 ) (in the second rule). Fortunately, these transitions t 1 must be synchronized transition (as a consequence of the definition of enb), therefore their time interval is always unconstrained, that is tc 1 (t 1 ) = dtc 1 (t 1 ) = [0; + [, as required by Def. 6, and by remarking that [0; + [ δ = [0; + [ for any δ in R +. Additionally, in the second rule, if f 1 (ω) is (t 1, m 1, s 1 ), we must ensure that no other transition in N 1 has priority over t 1, so that t 1 is fireable. This is a consequence of the definition of priorities in Def. 7 and of the condition on priorities in Def.6. Conversely, we assume given two composable traces σ 1 and σ 2 of N 1 and N 2, respectively. The trace σ is defined as stated in the property. It remains to be shown that σ is indeed a trace of N. The proof is actually very similar to the previous case (with the small difference that the condition on priorities is not used). This result is used to show the innocuousness of observers in Sec. 4.2. 3 A Real-Time Specification Patterns Language We introduce the specification patterns language available in our framework. A global presentation of the patterns is given in Appendix A. More details about this language are given in [1]. In this paper, we focus on an observer-based approach for the verification of patterns over TTS models. We also follow a pragmatic approach for studying several possible implementations for observers and selecting the most sensible one which we believe is new. Our language extends the property specification patterns of Dwyer et al. [12] with the ability to express time delays between the occurrences of transitions. The framework is expressive enough to define properties like the compliance to deadlines, bounds on the worst-case execution time, etc. The advantage of proposing predefined patterns is to provide a simple formalism to non-experts for expressing properties that can be directly checked with our model-checking tools. The patterns language follows the classification introduced in [12], with patterns arranged in categories such as universality, bounded existence, etc. In the following, we give some examples of absence and response patterns. More precisely, we focus on the response pattern with delay to show how patterns can be formally defined and to explain our different classes of observers. Absence pattern with delay this category of patterns can be used to specify delays within which activities must not occur. A typical pattern in this category
can be used to assert that a transition labeled with say E 2, cannot occur between d 1 and d 2 units of time after the first occurrence of a transition labeled with E 1. This is expressed as follows in our language: absent E 2 after E 1 for interval [d 1 ; d 2 ]. (absent) An example of use for this pattern would be an (unsatisfied) requirement that we cannot have two double clicks in less than 2 units of time (u.t.), that is absent double after double for interval [0; 2]. A more contrived example consists in requiring that if there are no single clicks in the first 10 u.t. of an execution then there should be no double clicks at all. This requirement can be expressed using the composition of two absence patterns using the implication operator and the reserved transition init (that identifies the start of the system): ( absent single after init for interval [0; 10] ) ( absent double after init for interval [0; [ ). Response pattern with delay this category of patterns can be used to express delays between transitions. The typical example of response pattern states that every occurrence of a transition labeled with E 1 must be followed by an occurrence of a transition labeled with E 2 within a time interval I. (We consider the first occurrence of E 2 after E 1.) E 1 leadsto E 2 within I. (leadsto) For example, using a disjunction of patterns, we can bound the time between a click and a mouse event: click leadsto (single double) within [0, 1]. Interpretation of patterns we can use different formalisms to define the semantics of patterns. In this work, we focus on a denotational interpretation, based on first-order formulas over timed traces. We illustrate our approach using the pattern E 1 leadsto E 2 within I. For the denotational definition, we say that the pattern is true for a TTS N if and only if, for every timed-trace σ of N, we have: σ 1, σ 2. (σ = σ 1 π 1 σ 2 ) σ 3, σ 4. σ 2 = σ 3 π 2 σ 4 (σ 3 ) I π 2 / σ 3 where π 1 (resp., π 2 ) is an atomic proposition that matches all events containing a transition t whose label is E 1 (resp., E 2 ). The denotational approach is very convenient for a tool developer (for instance to prove the soundness of an observer implementation in TTS) since it is self-contained and only relies on the definition of timed traces. As an alternative description of the pattern, we may use an MTL formula (see e.g. [20] for a definition of the logic): (π 1 ( π 2 ) U I π 2 ), which reads like a LTL formula enriched by a time constraint on the U operator. An advantage of our pattern-based approach is that we do not
have to restrict to a particular decidable fragment of the logic. For example, we do not require that the interval I is not punctual (of the form [d, d]); we add a pattern in our language only if we can provide a suitable observer for it, so that no decidability issue may arise. Last, we propose a graphical interpretation of patterns, mostly inspired by the Graphical Interval Logic (GIL) [11], called Time Graphical Interval Logic (TGIL), as pictured in the following diagram: π 1 π 2 The diagram reads as a recipe (from top to bottom): from any point in time (marked with a ), if there exists an occurrence of the atomic proposition π 1 in the future (take the first one), then there must exist a farther point for which π 2 holds and the delay between these two points is in the interval I. Given this TGIL diagram and a TTS N, the property holds if and only if every timedtrace σ of N satisfies the recipe. This graphical representation is expected to be more convenient than MITL when explaining the semantics of patterns to non-expert. 4 Patterns Verification We define different types of observers at the TTS level that can be used for the verification of patterns. (This classification is mainly informative, since nothing prohibits the mix of different types of observers.) We make use of the whole expressiveness of the TTS model: synchronous or asynchronous rendez-vous (through places and transitions); shared memory (through data variables); and priorities. The idea is not to provide a generic way of obtaining the observer from a formal definition of the pattern. Rather, we seek, for each pattern, to come up with the best possible observer in practice (see the discussion in Sect. 5). I 4.1 Observers for the Leadsto Pattern We focus on the example of the leadsto pattern. We assume that some transitions of the system are labeled with E 1 and some others with E 2. We give three examples of observers for the pattern: E 1 leadsto E 2 within [0, max[, meaning that whenever E 1 occurs, then (the first occurrence of) E 2 must occur before max units of time. The first observer monitors transitions and uses a single place; the second observer monitors places; the third observer monitors shared, boolean variables injected into the system (by means of composition). While the use of places and transitions is traditionally favored when observing Petri Nets certainly because of the definition of Petri Net composition the use of a data observer is quite new in the context of TTS systems. The results of our experiments seem to show that, in practice, this is a promising way to implement an observer.
E 1 [max, max] E 2 error E 1 act: flag := true error [max, max] pre: flag == true E 1 E 2 obs Fig. 4. Transition Observer E 2 act: flag := false Fig. 5. Data Observer Transition Observer (Fig. 4) the observer uses a place, obs, which records the time since the last transition labeled E 1 occurred. We use a classical graphical notation for Petri Nets where arcs with a black circle denote read arcs, while arcs with a white circle are inhibitor arcs. Place obs is emptied if a transition labeled E 2 is fired otherwise the transition error is fired after max units of time. The (dashed) priority arc between error and E 2 indicates that the transition E 2 cannot fire if the transition error can fire; which mean that the property is not verified if the first event E 2 after E 1 occurs exactly after max units of time. Proving that a TTS N satisfies this pattern amounts to checking that the system N O (where O is the observer) never reaches an event containing error. In the system displayed in Fig. 4, we use a deterministic observer, that examines all occurrences of E 1 for the failure of a deadline. By virtue of TTS composition (Def. 7), the observer in Fig. 4 duplicates each transition of N which is labeled E 1 (respectively E 2 ): one copy can be fired if obs is empty as a result of the (white-circled) inhibitor arc while the other can be fired only if the place is full. The transition error is fired if the place obs is full there is an instance of E 1 and the interval [max, max] is elapsed. It is also possible to define a non-deterministic observer, such that some occurrences of E 1 may be disregarded. This approach is safe since model-checking performs an exhaustive exploration of the TTS states, thus considering all possible scenarios. It is also quite close to the treatment obtained when compiling an (untimed) equivalent LTL property, namely (E 1 E 2 ), into an automaton [15]. Experiments have shown that the deterministic observer is more efficient, which underlines the benefit of singling out the best possible observer and looking for specific optimizations. Data observer (Fig. 5) in this observer, the transition error is conditioned by the value of a variable flag. This shared boolean variable, which is initially set to false, is true between the firing of a transition E 1 and the following transition E 2. Additionally, transition error is enabled only if flag is true. Therefore, like in the previous case, the verification of the pattern also boils down to checking the
reachability of the event error. Notice that the whole state of the data observer is encoded in its store, since the underlying net has no place. Place Observer (Fig. 6) in this part, we assume that events E 1 and E 2 are associated to the system entering some given states S 1 and S 2. We can easily adapt this net to observe events associated to transitions in the system. In our case, the observer will be composed with the system through its places S 1 and S 2 (we can extend the classic composition of Petri Nets over transitions to composition over places). In our observer, we use a transition labeled E 1 whenever a token is placed in S 1. Note that TTS obtained from Fiacre are onesafe, meaning that at most one token may be in S 1 at any given time. Likewise, we use a transition E 2 for observing that the system is in state S 2. The error transition is fired if the observer stays in state obs for more than max units of time, as needed. E 1 [0, 0] S 1 obs [max, max] error S 2 E 2 Fig. 6. Place Observer 4.2 Proving Innocuousness and Soundness of Observers We start by giving sufficient conditions for an observer O to be non-intrusive, meaning that the observer does not interfere with the observed system. Formally, we show that any trace σ of the observed system N is preserved in the composed system N O: the observer does not obstruct a behavior of the system (see Lemma 1 below). Conversely, we show that, from any trace of the composition N O, we can obtain a trace of N by erasing the events from O: the observer does not add new behaviors to the system. This is actually a consequence of Property 1 (see Sect. 2.5). We write T sync the set of synchronized transitions of the observer (as defined in Def. 6). Let ρ be a state of the observer, and σ a trace such that there exists ρ with ρ σ ρ. Then, we define O(ρ, σ) as the state ρ, that is, the state reached after executing trace σ from state ρ. We use O(σ) as a shorthand for O(ρ init, σ), where ρ init is the initial state. The following lemma states sufficient conditions for the observer to be non-intrusive.
Lemma 1. Assume O satisfies the following conditions: For every t in T sync, tc(t) = [0; + [, and t has no priority over other transitions. In every reachable state ρ of O, and for every l in lab(t sync ), there exists a (possibly empty) finite trace σ not containing transitions in T sync such that (σ) = 0 and there exists t T sync with lab(t) = l, which is fireable in state O(ρ, σ). There exists δ > 0 such that, in every reachable state ρ of O, there exists a (possibly empty) finite trace σ not containing transitions in T sync with ρ σd(δ). Then, for all σ 1 in Σ(N) there exists σ 2 in Σ(O) such that σ 1 and σ 2 are composable. A few comments: first condition is necessary for composition (as required by Def. 6). Second condition ensures that the observer does not prevent the firing of a (l-labeled) synchronized transition for more than 0 units of time. Note also that the observer cannot involve other synchronized transitions while reaching a state where l is firable, since this would abusively constrain the behavior of the main system not to mention deadlock issues. Third condition ensures that the observer may always let time significantly elapse, without requiring synchronized transitions either (for the same reason). From the compositionality property (Property 1, Sect. 2.5), it follows that the composed trace σ 1 σ 2 belongs to Σ(N O), which means that every valid behavior σ 1 of the observed system N is also present in the behavior of N O. Proof. We assume O satisfies the given hypotheses. We have to build a trace σ 2 in Σ(O) such that σ 1 σ 2. Since traces are considered up to equivalence, we actually build two traces σ 2 and σ 3 such that both σ 2 σ 3 and σ 1 σ 3 hold: For all σ 1 in Σ(N), there exist σ 2 in Σ(O) and σ 3 in Σ(N) such that σ 1 σ 3, and for all t > 0, for all σ a 3 finite prefix of σ 3 with (σ a 3) < t, there exists σ a 2 finite prefix of σ 2 such that σ a 2 σ a 3 holds. We provide an algorithm f that builds σ 2 and σ 3 incrementally. The inputs of f are σ 1, σ a 1, σ a 2 and σ a 3. They must satisfy the following: σ 1 σ a 3σ a 1 holds, as well as σ a 2 σ a 3. Intuitively, σ a 3 is the part of σ 1 (up to equivalence) that has already been done, whereas σ a 1 is the part remaining to be considered. The algorithm returns a new triple σ b 1, σ b 2 and σ b 3, which satisfies similar conditions, and such that σ a 2 and σ a 3 are prefixes of σ b 2, and σ b 3 respectively. The algorithm is invoked iteratively with the returned triple. In the finite case (when σ 1 is finite), it eventually reaches a point where σ a 1 is empty, in which case σ 1 σ a 3 holds. In the infinite case, we take σ 2 as the limit of σ b 2, and σ 3 as the limit of σ b 3. We now provide the details of the algorithm, then we consider its soundness, being careful with respect to well-formedness conditions (checking in particular that the algorithm does not pile up infinite sequences of zero-delay events).
Algorithm f(σ 1, σ a 1, σ a 2, σ a 3) : let x and σ 1 be such that σ a 1 equals xσ 1. With no loss of generality, we may freely assume that x is not d(0). We proceed by case on x: (a) If x is an event (t, m, s) with t / T sync, then we return σ b 1 = σ 1, σ b 2 = σ a 2d(0), and σ b 3 = σ a 3x. (b) If x is an event (t, m, s) with t T sync, then by hypothesis on O, there exists a finite trace σ not containing transitions in T sync such that (σ) = 0, σ a 2σ Σ(O) and t is fireable in O(σ a 2σ) with lab(t ) = lab(t). Let σ be the sequence with the same length as σ and whose elements are d(0). Let ω be (t, m, s ) where m and s are an appropriate marking and state such that σ a 2σω is in Σ(O). Then, we return σ b 1 = σ 1, σ b 2 = σ a 2σω, and σ b 3 = σ a 3σ x. (c) If x is d(δ), then by hypothesis on O, there exists δ 2 > 0 and a finite trace σ not containing transitions in T sync such that σ a 2σd(δ 2 ) is in Σ(O). Let σ be the sequence with the same length as σ and whose elements are d(0) or d(δ i ), with appropriate δ i such that σ σ holds. We distinguish two subcases: (i) either δ (σ) + δ 2, in which case we return σ b 1 = σ 1, σ b 2 = σ a 2σd(δ (σ)) and σ b 3 = σ a 3σ d(δ (σ)) provided δ (σ) 0. If δ (σ) < 0, we have to truncate both σ and σ at duration δ (omitting the details). (ii) either (σ) + δ 2 < δ, in which case we return σ b 1 = d(δ δ 2 )σ 1, σ b 2 = σ a 2σd(δ 2 ), and σ b 3 = σ a 3σ d(δ 2 ). There is no difficulty in checking that, for each case, the returned triple satisfies the output conditions, that is, σ 1 σ b 3σ b 1 and σ b 2 σ b 3, as long as σ a 1, σ b 1, and σ c 1 satisfy the input conditions, that is, σ 1 σ a 3σ a 1 and σ a 2 σ a 3. This implies that σ 2 σ 3 holds (both in the finite and infinite case). However, care must be taken to show that σ 1 σ 3 holds in the infinite case (the finite case being immediate). To prove this last point, we now consider σ 1 infinite, which implies (σ 1 ) = by well-formedness of σ 1. Thus, we only have to show that (σ 3 ) = (that is, σ 3 is well-formed), which implies σ 1 σ 3 (omitting the details). This is proven by means of contradiction: assume (σ 3 ) is finite, although σ 3 is infinite. Then, necessarily, at least one case (or subcase) of the algorithm is repeated an infinite number of steps. It cannot be subcase (ii) because δ 2 is a positive constant, and thus d(δ 2 ) cannot occur an infinite number of times in σ 3, whose duration is finite. As a consequence, after a finite number of iterations, all delays d(δ) occuring in σ 1 are handled by subcase (i). It cannot be subcase (i) either, because otherwise (σ 1 ) would also be finite. It cannot be cases (a) nor (b) either, because otherwise σ 1 would end with an infinite sequence of events (t, m, s), with no delay, which would imply (σ 1 ) is finite. The conditions in Lemma 1 are true for the implementation of the leadsto observer, defined in Fig. 4 and in Fig. 5. Therefore these observers cannot interfere with the system under observation. Next, we prove that the transition observer is sound, meaning that it reports correctly if its associated pattern is valid or not. We prove the soundness of this observer by showing that, for any TTS N, the event error does not appear in the traces of N O if and only if
the pattern is valid for N. We write error N O to mean there exists a trace σ σ in Σ(N O) such that error σ. Lemma 2. We have error / N O if and only if for all σ Σ(N) such that σ = σ 1 ω 1 σ 2 for some traces σ 1, σ 2 and ω 1 with lab(ω 1 ) = E 1, there exist σ 3, ω 2, and σ 4 with σ 2 = σ 3 ω 2 σ 4, lab(ω 2 ) = E 2, and (σ 3 ) < max. Proof. This is a consequence of the following result, where for any trace σ, we write lab(σ) for the set of labels occurring in σ, that is i dom σ lab(σ(i)). Result 1 Assume σ 1 Σ(N) and σ 2 Σ(O) with σ 1 σ 2. We additionally assume that σ 1 and σ 2 are maximal, that is, there is no traces σ 1 σ 1 Σ(N) and σ 2 σ 2 Σ(O) such that σ 1 σ 1 σ 2 σ 2 holds. Under these hypotheses, we have error σ 2 if and only if there exist σ a 1, ω 1, σ b 1, and σ c 1 such that σ 1 = σ a 1ω 1 σ b 1σ c 1 lab(ω 1 ) = E 1 (σ b 1) max E 2 / lab(σ b 1). Proof. We first show the if way. We define three subcases: either (σ1) c = 0 (subcase i), or, without loss of generality, we may freely assume that either (σ1) b > max (subcase ii), or that the first event of σ1 c is labeled with E 2 (subcase iii). In all these subcases, since σ 1 σ 2 holds, σ 2 is necessarily of the form σ2ω a 2 σ2σ b 2 c with σ1 a σ2, a ω 1 ω 2, σ1 b σ2, b and σ1 c σ2 c (as a consequence of Definition 8). This implies lab(ω 2 ) = E 1, (σ2) b = (σ1) b max and E 2 / lab(σ2). b Additionally, either (σ2) c = 0 (subcase i holds), or (σ2) b > max (subcase ii), or the first event of σ2 c is labeled with E 2 (subcase iii). Let ρ be O(σ2ω a 2 ). By construction of the observer, error is necessarily enabled in state ρ. Also by construction, only the firing of error or the firing of E 2 may disable error. Moreover, the time constraint on error ensures that it cannot remain enabled continuously for more than max units of time. We now consider the three subcases defined above: Subcase(i) : we have (σ c 2) = 0. Necessarily, error must be fired in σ b 2, otherwise error would be fireable at the end of σ 2, which is in contradiction with the hypothese that σ 1 and σ 2 are maximal. Subcase(ii) : we have (σ b 2) > max. Since E 2 is not fired in σ b 2, then error must be fired in σ b 2, that is, error σ 2. Subcase(iii) : we have (σ b 2) = max, and the first event of σ c 2 is E 2. As a consequence, error cannot be fireable in O(σ a 2ω 2 σ b 2) because it would have priority over the next event to come, namely E 2, which is a contradiction with the semantics. Thus, error must be fired in σ b 2, that is, error σ 2. In all cases, we see that error is fired in σ2. b This concludes the if way. Conversely ( only if way), we assume that error σ 2. By construction of the observer, error must have been enabled for max units of time, that is σ 2 = σ2σ a 2 b ω 3 σ2, c with lab(ω 3 ) = error, (σ 2 b ) = max, and error is enabled in all events of σ 2 b. Without loss of generality, we may take σ 2 b as large as possible, which implies that it starts with the first event that enabled error. σ 2 b = ω 2 σ2, b where lab(ω 2 ) = E 1, necessarily. Additionally, since error is kept enabled for all events of σ2, b we must have E 2 / lab(σ2). b Finally, since σ 1 σ 2 holds, there exist σ1, a
ω 1, σ b 1, σ c 1 with σ 1 = σ a 1ω 1 σ b 1σ c 1, σ a 1 σ a 2, ω 1 ω 2, σ b 1 σ b 2 and σ c 1 σ c 2. As a consequence, lab(ω 1 ) = E 1, (σ b 1) = max, and E 2 / lab(σ b 1). This concludes the proof. 5 Experimental Results Our verification framework has been integrated into a prototype extension of frac, the Fiacre compiler for the TINA toolbox. This extension supports the addition of real-time patterns and automatically compose a system with the necessary observers. (The software is available at http://homepages.laas.fr/ ~nabid.) In case the system does not meet its specification, we obtain a counterexample that can be converted into a timed sequence of events exhibiting a problematic scenario. This sequence can be played back using nd, the Time Petri Net animator provided by TINA. We define the empirical complexity of an observer as its impact on the augmentation of the state space size of the observed system. For a system S, we define size(s) as the size (in bytes) of the State Class Graph (SCG) [9] of S generated by our verification tools. In our verification tools, we use SCG as an abstraction of the state space of a TTS. State class graphs exhibit good properties: an SCG preserves the set of discrete traces and therefore preserves the validation of LTL properties and the SCG of S is finite if the Petri Net associated to S is bounded and if the set of values generated from S is finite. We cannot use the plain labeled transition system associated to S to define the size of S; indeed, this transition graph maybe infinite since we work with a dense time model and we have to take into account the passing of time. The size of S is a good indicator of the memory footprint and the computation time needed for model-checking the system S: the time and space complexity of the model-checking problem is proportional to size(s). Building on this definition, we say that the complexity of an observer O applied to the system S, denoted C O (S), is the quotient between the size of (S O) and the size of S. We resort to an empirical measure for the complexity since we cannot give an analytical definition of C O outside of the simplest cases. However, we can give some simple bounds on the function C O. First of all, since our observers should be non-intrusive (see Sect. 4.2), we can show that the SCG of S is a subgraph of the SCG of S O, and therefore C O (S) 1. Also, in the case of the leadsto pattern, the transitions and places-based observers add exactly one place to the net associated to S. In this case, we can show that the complexity of these two observers is always less than 2; we can at most double the size of the system. We can prove a similar upper bound for the leadsto observer based on data. While the three observers have the same (theoretical) worst-case complexity, our experiments have shown that one approach was superior to the others. We are not aware of previous work on using experimental criteria to select the best observer for a real-time property. In the context of untimed properties, this approach may be compared to the problem of optimizing the generation of Büchi Automata from LTL formulas, see e.g. [15].
Fig. 7. Complexity for the data and state observer classes in percentage of system size growth average time for invalid properties (above) and valid properties (below). We have used our prototype compiler to experiment with different implementations for the observers. The goal is to find the most efficient observer in practice, that is the observer with the lowest complexity. To this end, we have compared the complexity of different implementations on a fixed set of representative examples and for a specific set of properties (we consider both valid and invalid properties). The results for the leadsto pattern are displayed in Fig. 7. For the experiments used in this paper, we use three examples of TTS selected because they exhibit very different features (size of the state space, amount of concurrency and symmetry in the system,... ). Example CITY is a TTS obtained from a business workflow describing the delivery of identity documents in a French city hall. In this example, timing constraints arise from delays in the communication between services and time spent to perform administrative procedures. The valid property, in this case, states that the minimal possible delay for obtaining an id is 30 hours. This is a typical leadsto pattern that can